Modern enterprise systems, e.g., enterprise resource planning (ERP) systems, customer relationship management (CRM) systems, enforce a variety of different and complex security policies. Moreover, more and more enterprises operate in regulated markets and, thus, need to prove that their information technology (IT) systems comply with applicable compliance regulations.
Modern enterprise systems typically include a variety of dynamic access control constraints that require a complex set of context information for resolution. Access control policies can be provided, which include dynamic access control constraints. A dynamic access control constraint can define which users are allowed to access which resources, e.g., application, data, for a given context. Because a dynamic access control constraint is based on context, it can only be resolved at runtime, e.g., when the system is operating and a user is able to request access to data. Consequently, efficient evaluation and resolution of dynamic constraints impacts the overall performance of the access control enforcement infrastructure, and, thus, the overall performance of the enterprise system.
Enterprise systems can include highly distributed systems, such as enterprise systems based on the service oriented architecture (SOA) paradigm. In such enterprise systems, a central policy decision point (PDP) is provided and requires information, e.g., properties of resources, to evaluate dynamic constraints. This information is only available through the service, which is managing the specific resource that access is being requested to. Consequently, the time needed to evaluate and resolve access control constraints can depend on the number of interactions between the central PDP and the distributed services to resolve all required attributes.